CVE-2024-36402: matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content

January 16, 2025 (updated January 17, 2025)

MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository.

References

github.com/advisories/GHSA-8vmr-h7h5-cqhg
github.com/matrix-org/matrix-spec-proposals/pull/3916
github.com/t2bot/matrix-media-repo
github.com/t2bot/matrix-media-repo/security/advisories/GHSA-8vmr-h7h5-cqhg
nvd.nist.gov/vuln/detail/CVE-2024-36402
pkg.go.dev/vuln/GO-2025-3397

Code Behaviors & Features

Detect and mitigate CVE-2024-36402 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →